EAP-TLS Attributes
Phil Mayers
p.mayers at imperial.ac.uk
Wed Nov 16 23:24:33 CET 2011
On 11/16/2011 09:53 PM, Houston-III, Lester L wrote:
> What I want to do now is have the StrongSwan VPN client inject some
> custom data into the EAP message so that data can be propagated through
> to JRADIUS for use in the post authorization method. Maybe something
> like creating my own attribute or something. Is this possible? If so,
> how can I do this? If not, is there a way to modify an existing
> FreeRADIUS attribute that can be modified by the StrongSwan VPN client?
Ok - you want to communicate data from the StrongSwan VPN client, to
JRadius?
Basically this is really, really hard. You will need to extend an EAP
mechanism to send some arbitrary payload, or make use of an existing EAP
mechanism that can carry such data. It will require source code changes
on both the StrongSwan client, and the FreeRADIUS server.
You can't "use a radius attribute" - the StrongSwan client doesn't speak
radius. It speaks EAP over IKE/IKEv2 to an IPSec peer, and the IPSec
peer transports the EAP over radius. Any data will therefore need to
travel inside the EAP mechanism.
What data do you want to communicate from client to server? Instead of
saying how you want to do something, state what you want to do.
More information about the Freeradius-Users
mailing list